VYPR

rpm package

almalinux/criu

pkg:rpm/almalinux/criu

Vulnerabilities (101)

  • CVE-2024-34155MedSep 6, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

  • CVE-2024-24791HigJul 2, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co

  • CVE-2024-37298HigJul 1, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality

  • CVE-2024-6104Jun 24, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

  • CVE-2024-24789Jun 5, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac

  • CVE-2024-3727HigMay 14, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

  • CVE-2024-24788MedMay 8, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

  • CVE-2024-1394HigMar 21, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and

  • CVE-2024-1753HigMar 18, 2024
    affected < 3.15-3.module_el8.9.0+3821+d7d58347fixed 3.15-3.module_el8.9.0+3821+d7d58347

    A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause t

  • CVE-2024-28180Mar 9, 2024
    affected < 3.18-5.module_el8.10.0+3845+87b84552fixed 3.18-5.module_el8.10.0+3845+87b84552

    Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret

  • CVE-2024-28176Mar 9, 2024
    affected < 3.18-5.module_el8.10.0+3845+87b84552fixed 3.18-5.module_el8.10.0+3845+87b84552

    jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encrypt

  • CVE-2024-24786HigMar 5, 2024
    affected < 3.18-5.module_el8.10.0+3845+87b84552fixed 3.18-5.module_el8.10.0+3845+87b84552

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

  • CVE-2024-24785MedMar 5, 2024
    affected < 3.18-5.module_el8.10.0+4089+ce72bbbefixed 3.18-5.module_el8.10.0+4089+ce72bbbe

    If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

  • CVE-2024-24784HigMar 5, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

  • CVE-2024-24783MedMar 5, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul

  • CVE-2023-45290MedMar 5, 2024
    affected < 3.18-5.module_el8.10.0+3876+e55593a8fixed 3.18-5.module_el8.10.0+3876+e55593a8

    When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line

  • CVE-2024-21626Jan 31, 2024
    affected < 3.15-3.module_el8.6.0+2877+8e437bf5fixed 3.15-3.module_el8.6.0+2877+8e437bf5

    runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h

  • CVE-2023-39326Dec 6, 2023
    affected < 3.15-3.module_el8.6.0+2877+8e437bf5fixed 3.15-3.module_el8.6.0+2877+8e437bf5

    A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of d

  • CVE-2023-45287Dec 5, 2023
    affected < 3.15-3.module_el8.6.0+2877+8e437bf5fixed 3.15-3.module_el8.6.0+2877+8e437bf5

    Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may l

  • CVE-2023-39322Sep 8, 2023
    affected < 3.15-3.module_el8.6.0+2877+8e437bf5fixed 3.15-3.module_el8.6.0+2877+8e437bf5

    QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.

Page 2 of 6